Skip to content

Instantly share code, notes, and snippets.

@cwilby

cwilby/Generating a certificate for OpenVPN.md

Last active July 20, 2018 16:07
Show Gist options
  • Save cwilby/1342389c8714037d0c32334d0abb209c to your computer and use it in GitHub Desktop.
Save cwilby/1342389c8714037d0c32334d0abb209c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Generating a certificate for OpenVPN.md

Install asuswrt-merlin

https://asuswrt.lostrealm.ca/

Install easy-rsa

(Make sure you have homebrew installed)

brew tap riboseinc/easy-rsa
brew install easy-rsa

Clean existing PKI

$ easyrsa clean-all

WARNING!!!

You are about to remove the EASYRSA_PKI at: ~/pki/pki
and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: ~/pki/pki

Generate CA

$ easyrsa build-ca nopass

Generating a 2048 bit RSA private key
..........+++
.......................................................................+++
writing new private key to '~/pki/pki/private/ca.key.0000000000'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
~/pki/pki/ca.crt

Build server key/certificates

$ easyrsa build-server-full server nopass

Generating a 2048 bit RSA private key
......................................................................................................................+++
.....................................................................................................................................................................................+++
writing new private key to '~/pki/pki/private/server.key.0000000000'
-----
Using configuration from /usr/local/opt/easy-rsa/share/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Jul 17 15:55:31 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Generate DH Parameters

$ easyrsa gen-dh

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
<output>

Build client keys/certificates

$ easyrsa build-client-full client1 nopass
$ easyrsa build-client-full client2 nopass
$ easyrsa build-client-full client3 nopass

Copy files to paste into asuswrt-merlin config

cd ~/pki

# Static Key
# (leave blank)

# Certificate Authority
cat ca.crt | pbcopy

# Server Certificate
cat issued/server.crt | pbcopy

# Server Key
cat private/server.key | pbcopy

# Diffie Hellman parameters
cat dh.pem | pbcopy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment